HIPAA Breach Notification Rule: Reporting Data Breaches
Vimal Mohan
Sep 24, 2024HIPAA (Health Insurance Portability and Accountability Act) is a federal law in the United States regulated by the Department of Health and Human Services to ensure the integrity of patient’s Protected Health Information (PHI). The HIPAA breach notification rule specifies the mandatory protocols healthcare orgs must follow in the event of a data breach.
Implementing and abiding by its guidelines can be tough, but failure to comply could result in heavy administrative penalties or criminal charges.
If your organization has not implemented its breach notification policy yet or is improving its existing framework, this article helps you understand the breach notification rule, the penalties that come with non-compliance, and a few tips to help you comply.
HIPAA breach notification rule is applicable to Covered Entities (CE) and Business Associate (BA)s. But the nature of the application is different. CEs are responsible for breaches even if it occurs at a BAs end.
What is the HIPAA Breach Notification rule?
The HIPAA breach notification rule is one of the most important guidelines that elucidate what the covered entities must do to notify impacted patients when their Protected Health Information (PHI) is accessed, processed, or disclosed in a manner that compromises their privacy or security.
Why should organizations follow the HIPAA Breach Notification rule?
The regulators of HIPAA, the Department of Health and Human Services (HHS), understand that sometimes even the most secure organizations with its top of line security measures, state-of-the-art technology software, and well-trained employees become victims of a security incident.
The HIPAA breach notification rule mandates steps and processes for the organization to follow after a breach. Failure to comply can result in steep fines and also lead to criminal charges.
For an organization processing secure medical data, knowing what qualifies as a breach is imperative.
Stay ahead of penalties with Sprinto’s Always-On compliance
What is a breach?
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of personal health records.
An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the unsecured protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made
- Whether the protected health information was acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
The most common examples are:
- Instances when organizations use non-encrypted channels to discuss PHI either with an internal employee or with the patient.
- By becoming victims of phishing attacks and sharing access credentials or transferring PHI.
- When organizations do not implement safeguards to protect PHI from external and internal misuse.
While these are a few common examples of a breach, the definition of a breach under HIPAA is more nuanced than this. Multiple scenarios exist where unauthorized access to PHI might not be considered a breach. But that is a subject we will cover in more detail in another article.
HIPAA Breach Notification Rule Requirements
According to the HIPAA breach notification rule, organizations processing PHI have 60-calendar days to inform the individuals about the breach, the complexity of the breach, and the steps implemented to mitigate immediate and future risks. This is to ensure that the individual is apprised of the situation.
It is important to understand that the breach notification rule is applied differently for CEs and BAs. CEs have to report a breach to the office of the HHS within 60 days from the date the breach was discovered, while BAs have to report the breach to the CEs they work for within 60 days. The CE then decides if the reported incident qualifies as a breach to determine the next steps.
Here are the five steps organizations must implement after a breach incident:
Step 1: Set a Timeline for Issuing Breach Notifications
HIPAA breach notifications must be sent within 60 days from the date of breach discovery. The only exception to pausing the act of transmitting information is when the organization is under a federal review or has been asked by the government not to notify the individuals.
To comply with the breach notification rule, the breach communique must be sent out at the earliest possible. However, there have been recorded instances where the HHS has penalized organizations for delayed notifications even if the message was sent within the 60-day window.
Step 2: Inform Individuals Impacted by the Breach
The organization must send written notifications to all individuals impacted by the breach using a first-class mailing service or email, depending on the patient’s preferred communication channel.
They should also arrange to host a hotline where patients can call in to check if their PHI has been impacted, for a period of 90-days after breach discovery.
The communique sent should include information on the following:
- The type of data that was accessed through unauthorized medium
- How this breach could impact individuals and what they need to do to protect themselves from the impact of this incident.
- The measures the organization has deployed to minimize damage and prevent similar incidents from happening again.
- Contact information of CEs and BAs for individuals to contact them
All of this should be presented in a simple and jargon-free manner so that any individual reading this can comprehend the meaning and assess the impact it could have in their lives.
A Business Associate must notify the Covered Entity about the breach no later than 60-days from the discovery of the breach.
Step 3: Issue a Notice to the Media Agencies About the Breach.
Suppose the data breach affected more than 500 individuals. In that case, the organization should make a public announcement to media houses asking them to broadcast/televise this message in the area where the organization operates. This announcement should include all the data sets in the written communique.
Organizations have 60-calendar days from the incident date to make this media announcement. Failure to comply could lead to heavy administrative penalties, criminal charges, or both.
Step 4: Inform the Department of Health and Human Services
Along with issuing a media notice, the organization must also inform the Secretary of the Department of HHS about the breach if it impacts more than 500 individuals.
If the breach affects less than 500 individuals, the organization can notify the HHS annually. The notification to the HHS must be sent within 60 after the end of the calendar year in which the breach has occurred.
Suppose an organization is impacted by a breach affecting less than 500 individuals in October. Then, the HHS must be notified by 60 days, i.e. March 1 of the following year.
This notification must be done via the official reporting tool.
Step 5: Display breach notification on the website
In the event of a breach, if the organization does not possess more than ten individuals’ updated contact information, it must post a notification on its official business website about the breach. This notification should be linked to a page detailing the security breach’s particulars.
This notification should be live for a period of 90-days.
In another scenario, if the organization does not possess updated contact information of less than ten affected individuals, they can consider using alternative channels like calling them on the phone or by email.
Bonus: We have created a an expert-led checklist on how to get HIPAA certified. Download it below!
Download Your HIPAA Certification Checklist
What is the penalty for ignoring the Breach Notification requirement?
The penalty for non-compliance with the HIPAA breach notification rule is expensive. The penalty amount, however, is determined by the Office of Civil Rights(OCR) based on the severity of the breach, intent, and the remediation steps taken by the organization.
The penalties associated with the HIPAA breach notification rule are between USD 200,000 to 400,000
The Sprinto way of compliance
Non-compliance with HIPAA is an expensive affair that extracts time and resources from organizations. Time and resources spent towards firefighting the after-effects of HIPAA non-compliance can be better spent on business development and expansion by preventing the occurrence of non-compliance in the first place.
Sprinto helps organizations with their HIPAA compliance by enabling them with the visibility required to monitor their overall compliance posture. In the event of an incident, Sprinto enables compliance by periodically alerting the team assigned to look into compliance with the next steps.
Sprinto’s escalation matrix is purpose-built to ensure that compliance gets prioritized by escalating priority action items that need immediate attention to avoid administrative fines and criminal charges for non-compliance.
Join Sprinto’s 450+ satisfied compliance conquerors
This way, you don’t miss out on following HIPAA compliance protocol while focusing on your business development roadmap. Talk to our experts today to know how to become and remain HIPAA compliant to protect your organization from a breach.
FAQ
What is a HIPAA breach notification letter?
Organizations send breach notification letters to impacted breach victims. The breach notification letter contains all the details of the breach, including the nature of the breach, projected risk, safeguards the individuals could implement to secure their confidential information online, and lastly, what the organization is doing to minimize the risk and deploy preventive measures.
When should an individual be notified about the breach of PHI?
An individual should be notified about the PHI no later than 60 days following the discovery of the breach. In compliance with the HIPAA privacy rule, the notification should include a detailed description of the breach, the types of information involved, the steps the individual should take to protect themselves, and the contact information of the organization that experienced the breach.
What are the rules for breach notification?
The rules on breach notification might vary depending on the regulation governing the affected entity. Some of them are the timeliness of the notification, the notifying parties such as the government or media, the content – description of the breach, and methods of notification.
What are the four criteria for determining a breach?
As per HIPAA Privacy Rule, four criteria are used to determine if a breach of PHI has occurred. They are:
1. The nature and extent of the Protected Health Information involved in the breach, the types of information breached, the number of individuals whose PHI was involved, and the likelihood of re-identification.
2. The unauthorized person receiving it, people who utilized the PHI, or to whom the disclosure was made.
3. Whether the Protected health information was viewed or acquired.
4. The extent to which the risk to the PHI has been mitigated